Api standards for data-sharing (account aggregator)
Download 1.78 Mb. Pdf ko'rish
|
othp56
|
Restricted CGIDE – API standards for data-sharing – October 2022 27 Open finance in Brazil Aligned with the principle that consumers own their personal data and therefore should be able to use them to their own benefit, including sharing with other parties, the Central Bank of Brazil (BCB) and the National Monetary Council (CMN) defined the main principles and rules for open banking (which evolved into open finance). These principles allow the standardised sharing of data and services between financial institutions and other institutions licensed by the BCB. The data-sharing occurs through standardised APIs in a safe, agile, precise and convenient process covering the steps of consent, authentication and confirmation. This data-sharing must have been previously consented to by the customer. Each consent must be tied to specific purposes and has a validity period limited to 12 months, which could be revoked by the customer at any given time through either of the institutions involved in the data-sharing. The Brazilian model has a broader scope than the initiatives in other countries. Participation in data-sharing is mandatory for the largest institutions (S1 and S2 firms, according to prudential regulation), while other licensed firms can participate by observing a data reciprocity requirement. The scope of the data includes the standardisation of APIs for sharing open data on available products and access channels (phase 1), customer registry and transactional data on payment and accounts (phase 2) and payment initiation service (phase 3). However, as in other jurisdictions, the Brazilian model also includes data-sharing on credit operations, and has done so from the start. Participants are expected to soon have APIs in place to share data on investment, insurance and foreign exchange operations (phase 4), among others. A secure environment is key to reducing information asymmetry by de-monopolising data, leading to increased competition and, hopefully, cheaper and better financial services for consumers. In this regard, the BCB set rules to build an initial governance structure with the aim of reducing players’ often conflicting interests while seeking non-discriminatory access and regulatory compliance. In this structure, the participating segments share equal status and voting powers to present the technical standards and build a common tech infrastructure (eg a participant directory, service desk and sandbox). This framework sets technical requirements for open finance sharing, including OpenID Connect 2.0 and a national Financial-grade API (FAPI) profile. The governance structure submitted these requirements to the BCB, and the BCB ultimately included them in the regulatory framework that all participants must observe. The BCB expects open finance to promote a more competitive and efficient financial system, by generating new opportunities for all parties involved. Many use cases will only become clear over time. Some are already apparent such as financial counselling and payment initiation. Others such as credit risk analysis and customer onboarding by participating institutions show improvement. In numbers, open finance in Brazil has recently completed one year of implementation, with over 5 million active consents, over 2 billion successful API calls and around 800 participating institutions in total. As for the main challenges, the BCB points out that participants must agree on a definite governance structure in 2022, and the ecosystem should continue to evolve towards phase 4. In 2023 the BCB expects to issue requirements for interoperability in the open insurance framework. Furthermore, raising public awareness of the project is another key challenge in the years to come. In conclusion, open finance is not meant as a static model but rather as an evolving one. Although defining the technical standards is a challenge in the short-term, its scope should be understood as dynamic in nature, enabling new solutions in the long run. Technical remarks The BCB has decided that each financial institution (data provider) is legally responsible for authenticating the customers (data owners) and third parties (data recipients) asking for their customers’ data. They are also legally responsible for ensuring that third parties access only data and capabilities for which access has previously been authorised (consented to) by customers. These legal requirements naturally led Brazil’s open finance to a decentralised architecture. |
